Migrate config to cameleer.server.* naming convention

Move all configuration properties under the cameleer.server.* namespace
with all-lowercase dot-separated names and mechanical env var mapping
(dots→underscores, uppercase). This aligns with the agent's convention
(cameleer.agent.*) and establishes a predictable pattern across all
components.

Changes:
- Move 6 config prefixes under cameleer.server.*: agent-registry,
  ingestion, security, license, clickhouse, and cameleer.tenant/runtime/indexer
- Rename all kebab-case properties to concatenated lowercase
  (e.g., bootstrap-token → bootstraptoken, jar-storage-path → jarstoragepath)
- Update all env vars to CAMELEER_SERVER_* mechanical mapping
- Fix container-cpu-request/container-cpu-shares mismatch bug
- Remove displayName from AgentRegistrationRequest (redundant with instanceId)
- Update agent container env vars to CAMELEER_AGENT_* convention
- Update K8s manifests and CI workflow for new env var names
- Update CLAUDE.md, HOWTO.md, SERVER-CAPABILITIES.md documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

HOWTO.md

@@ -42,15 +42,15 @@ mvn clean package -DskipTests
 SPRING_DATASOURCE_URL=jdbc:postgresql://localhost:5432/cameleer3 \
 SPRING_DATASOURCE_USERNAME=cameleer \
 SPRING_DATASOURCE_PASSWORD=cameleer_dev \
-CAMELEER_AUTH_TOKEN=my-secret-token \
+CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN=my-secret-token \
 java -jar cameleer3-server-app/target/cameleer3-server-app-1.0-SNAPSHOT.jar
 ```
 
 > **Note:** The Docker image no longer includes default database credentials. When running via `docker run`, pass `-e SPRING_DATASOURCE_URL=...` etc. The docker-compose setup provides these automatically.
 
-The server starts on **port 8081**. The `CAMELEER_AUTH_TOKEN` environment variable is **required** — the server fails fast on startup if it is not set.
+The server starts on **port 8081**. The `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN` environment variable is **required** — the server fails fast on startup if it is not set.
 
-For token rotation without downtime, set `CAMELEER_AUTH_TOKEN_PREVIOUS` to the old token while rolling out the new one. The server accepts both during the overlap window.
+For token rotation without downtime, set `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKENPREVIOUS` to the old token while rolling out the new one. The server accepts both during the overlap window.
 
 ## API Endpoints
 
@@ -89,7 +89,7 @@ curl -s -X POST http://localhost:8081/api/v1/auth/refresh \
   -d '{"refreshToken":"<refreshToken>"}'
 ```
 
-UI credentials are configured via `CAMELEER_UI_USER` / `CAMELEER_UI_PASSWORD` env vars (default: `admin` / `admin`).
+UI credentials are configured via `CAMELEER_SERVER_SECURITY_UIUSER` / `CAMELEER_SERVER_SECURITY_UIPASSWORD` env vars (default: `admin` / `admin`).
 
 **Public endpoints (no JWT required):** `GET /api/v1/health`, `POST /api/v1/agents/register` (uses bootstrap token), `POST /api/v1/auth/**`, OpenAPI/Swagger docs.
 
@@ -162,7 +162,7 @@ curl -s -X DELETE http://localhost:8081/api/v1/admin/oidc \
   -H "Authorization: Bearer $TOKEN"
 ```
 
-**Initial provisioning**: OIDC can also be seeded from `CAMELEER_OIDC_*` env vars on first startup (when DB is empty). After that, the admin API takes over.
+**Initial provisioning**: OIDC can also be seeded from `CAMELEER_SERVER_SECURITY_OIDC*` env vars on first startup (when DB is empty). After that, the admin API takes over.
 
 ### Logto Setup (OIDC Provider)
 
@@ -192,12 +192,12 @@ Logto is proxy-aware via `TRUST_PROXY_HEADER=1`. The `LOGTO_ENDPOINT` and `LOGTO
    ```
 6. **Configure resource server** (for M2M token validation):
    ```
-   CAMELEER_OIDC_ISSUER_URI=<LOGTO_ENDPOINT>/oidc
-   CAMELEER_OIDC_JWK_SET_URI=http://logto:3001/oidc/jwks
-   CAMELEER_OIDC_AUDIENCE=<api-resource-indicator-from-step-3>
-   CAMELEER_OIDC_TLS_SKIP_VERIFY=true   # optional — skip cert verification for self-signed CAs
+   CAMELEER_SERVER_SECURITY_OIDCISSUERURI=<LOGTO_ENDPOINT>/oidc
+   CAMELEER_SERVER_SECURITY_OIDCJWKSETURI=http://logto:3001/oidc/jwks
+   CAMELEER_SERVER_SECURITY_OIDCAUDIENCE=<api-resource-indicator-from-step-3>
+   CAMELEER_SERVER_SECURITY_OIDCTLSSKIPVERIFY=true   # optional — skip cert verification for self-signed CAs
    ```
-   `JWK_SET_URI` is needed when the public issuer URL isn't reachable from inside containers — it fetches JWKS directly from the internal Logto service. `TLS_SKIP_VERIFY` disables certificate verification for all OIDC HTTP calls (discovery, token exchange, JWKS); use only when the provider has a self-signed CA.
+   `OIDCJWKSETURI` is needed when the public issuer URL isn't reachable from inside containers — it fetches JWKS directly from the internal Logto service. `OIDCTLSSKIPVERIFY` disables certificate verification for all OIDC HTTP calls (discovery, token exchange, JWKS); use only when the provider has a self-signed CA.
 
 ### SSO Behavior
 
@@ -400,20 +400,20 @@ Key settings in `cameleer3-server-app/src/main/resources/application.yml`:
 | `agent-registry.keepalive-interval-seconds` | 15 | SSE ping keepalive interval |
 | `security.access-token-expiry-ms` | 3600000 | JWT access token lifetime (1h) |
 | `security.refresh-token-expiry-ms` | 604800000 | Refresh token lifetime (7d) |
-| `security.bootstrap-token` | `${CAMELEER_AUTH_TOKEN}` | Bootstrap token for agent registration (required) |
-| `security.bootstrap-token-previous` | `${CAMELEER_AUTH_TOKEN_PREVIOUS}` | Previous bootstrap token for rotation (optional) |
-| `security.ui-user` | `admin` | UI login username (`CAMELEER_UI_USER` env var) |
-| `security.ui-password` | `admin` | UI login password (`CAMELEER_UI_PASSWORD` env var) |
-| `security.ui-origin` | `http://localhost:5173` | CORS allowed origin for UI (`CAMELEER_UI_ORIGIN` env var) |
-| `security.cors-allowed-origins` | *(empty)* | Comma-separated CORS origins (`CAMELEER_CORS_ALLOWED_ORIGINS`) — overrides `ui-origin` when set |
-| `security.jwt-secret` | *(random)* | HMAC secret for JWT signing (`CAMELEER_JWT_SECRET`). If set, tokens survive restarts |
+| `cameleer.server.security.bootstraptoken` | `${CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN}` | Bootstrap token for agent registration (required) |
+| `cameleer.server.security.bootstraptokenprevious` | `${CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKENPREVIOUS}` | Previous bootstrap token for rotation (optional) |
+| `cameleer.server.security.uiuser` | `admin` | UI login username (`CAMELEER_SERVER_SECURITY_UIUSER` env var) |
+| `cameleer.server.security.uipassword` | `admin` | UI login password (`CAMELEER_SERVER_SECURITY_UIPASSWORD` env var) |
+| `cameleer.server.security.uiorigin` | `http://localhost:5173` | CORS allowed origin for UI (`CAMELEER_SERVER_SECURITY_UIORIGIN` env var) |
+| `cameleer.server.security.corsallowedorigins` | *(empty)* | Comma-separated CORS origins (`CAMELEER_SERVER_SECURITY_CORSALLOWEDORIGINS`) — overrides `uiorigin` when set |
+| `cameleer.server.security.jwtsecret` | *(random)* | HMAC secret for JWT signing (`CAMELEER_SERVER_SECURITY_JWTSECRET`). If set, tokens survive restarts |
 | `security.oidc.enabled` | `false` | Enable OIDC login (`CAMELEER_OIDC_ENABLED`) |
 | `security.oidc.issuer-uri` | | OIDC provider issuer URL (`CAMELEER_OIDC_ISSUER`) |
 | `security.oidc.client-id` | | OAuth2 client ID (`CAMELEER_OIDC_CLIENT_ID`) |
 | `security.oidc.client-secret` | | OAuth2 client secret (`CAMELEER_OIDC_CLIENT_SECRET`) |
 | `security.oidc.roles-claim` | `realm_access.roles` | JSONPath to roles in OIDC id_token (`CAMELEER_OIDC_ROLES_CLAIM`) |
 | `security.oidc.default-roles` | `VIEWER` | Default roles for new OIDC users (`CAMELEER_OIDC_DEFAULT_ROLES`) |
-| `cameleer.indexer.debounce-ms` | `2000` | Search indexer debounce delay (`CAMELEER_INDEXER_DEBOUNCE_MS`) |
+| `cameleer.server.indexer.debouncems` | `2000` | Search indexer debounce delay (`CAMELEER_SERVER_INDEXER_DEBOUNCEMS`) |
 | `cameleer.indexer.queue-size` | `10000` | Search indexer queue capacity (`CAMELEER_INDEXER_QUEUE_SIZE`) |
 
 ## Web UI Development
@@ -425,7 +425,7 @@ npm run dev          # Vite dev server on http://localhost:5173 (proxies /api to
 npm run build        # Production build to ui/dist/
 ```
 
-Login with `admin` / `admin` (or whatever `CAMELEER_UI_USER` / `CAMELEER_UI_PASSWORD` are set to).
+Login with `admin` / `admin` (or whatever `CAMELEER_SERVER_SECURITY_UIUSER` / `CAMELEER_SERVER_SECURITY_UIPASSWORD` are set to).
 
 The UI uses runtime configuration via `public/config.js`. In Kubernetes, a ConfigMap overrides this file to set the correct API base URL.
 
@@ -496,7 +496,7 @@ cameleer-demo namespace:
 
 Push to `main` triggers: **build** (UI npm + Maven, unit tests) → **docker** (buildx amd64 for server + UI, push to Gitea registry) → **deploy** (kubectl apply + rolling update).
 
-Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_AUTH_TOKEN`, `CAMELEER_JWT_SECRET`, `POSTGRES_USER`, `POSTGRES_PASSWORD`, `POSTGRES_DB`, `CLICKHOUSE_USER`, `CLICKHOUSE_PASSWORD`, `CAMELEER_UI_USER` (optional), `CAMELEER_UI_PASSWORD` (optional), `LOGTO_PG_USER`, `LOGTO_PG_PASSWORD`, `LOGTO_ENDPOINT` (public-facing Logto URL, e.g., `https://auth.cameleer.my.domain`), `LOGTO_ADMIN_ENDPOINT` (admin console URL), `CAMELEER_OIDC_ISSUER_URI` (optional, for resource server M2M token validation), `CAMELEER_OIDC_AUDIENCE` (optional, API resource indicator), `CAMELEER_OIDC_TLS_SKIP_VERIFY` (optional, skip TLS cert verification for self-signed CAs).
+Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN`, `CAMELEER_SERVER_SECURITY_JWTSECRET`, `POSTGRES_USER`, `POSTGRES_PASSWORD`, `POSTGRES_DB`, `CLICKHOUSE_USER`, `CLICKHOUSE_PASSWORD`, `CAMELEER_SERVER_SECURITY_UIUSER` (optional), `CAMELEER_SERVER_SECURITY_UIPASSWORD` (optional), `LOGTO_PG_USER`, `LOGTO_PG_PASSWORD`, `LOGTO_ENDPOINT` (public-facing Logto URL, e.g., `https://auth.cameleer.my.domain`), `LOGTO_ADMIN_ENDPOINT` (admin console URL), `CAMELEER_SERVER_SECURITY_OIDCISSUERURI` (optional, for resource server M2M token validation), `CAMELEER_SERVER_SECURITY_OIDCAUDIENCE` (optional, API resource indicator), `CAMELEER_SERVER_SECURITY_OIDCTLSSKIPVERIFY` (optional, skip TLS cert verification for self-signed CAs).
 
 ### Manual K8s Commands